Tech Support Forum - View Single Post

Ried · 02-21-2006, 07:14 PM

Hello Raggedy,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [pjaimjxdto] C:\WINDOWS\System32\erdfhjzn.exe
O4 - HKLM\..\Run: [velmp] C:\WINDOWS\velmp.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [t32] C:\WINDOWS\kltse.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files if they still exist.

C:\WINDOWS\System32\erdfhjzn.exe
C:\WINDOWS\velmp.exe
C:\WINDOWS\System32\automove.exe
C:\WINDOWS\kltse.exe
C:\WINDOWS\jawa32.exe

---------------------------

Reboot into Normal Mode

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

02-21-2006, 07:14 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,030 OS: WinXP and Vista	Hello Raggedy, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. --------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [pjaimjxdto] C:\WINDOWS\System32\erdfhjzn.exe O4 - HKLM\..\Run: [velmp] C:\WINDOWS\velmp.exe O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe O4 - HKLM\..\Run: [t32] C:\WINDOWS\kltse.exe O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files if they still exist. C:\WINDOWS\System32\erdfhjzn.exe C:\WINDOWS\velmp.exe C:\WINDOWS\System32\automove.exe C:\WINDOWS\kltse.exe C:\WINDOWS\jawa32.exe --------------------------- Reboot into Normal Mode --------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."